Monday, June 28, 2010

The Rise of Application SOCs

I completely agree. The application level security operation center is a must for anyone that wants to defend enterprise grade applications from attackers. However, there is an important balance between the necessity of automated response and requirements for human analysis.  Its just not feasible for a human to analysis every generated event. That's where we leverage the magic from a low/zero false positive detection network within the application itself.

I had the fortune of working a few years in the Motorola network security operation center and am using that knowledge, along with AppSensor concepts, to form the foundation of an Application SOC at Mozilla.

From Dailydave:

So when I gave the FIRST talk, one of the questions was 
"What is the solution?" which when people ask that usually 
has a slight overtone of "It's easy to knock the blocks down, 
but not to set them up!" to it.

Here's what I see:

The major problem with 90's era technology (i.e. scanners/
sniffers!) is that they are in a very high noise/low signal 
environment. This is as true for static code analysers as 
it is for IDSs and Web Application Firewalls.

Immunity sees lots of success (and has for many years) with 
organizations that have done high level instrumentations 
against their applications, and then used powerful data 
mining tools to look at that data.

But with all Things That Really Work (tm), there are many 
1. Analysis is mind bogglingly expensive. It takes lots of 
time, you never know if you're going to find something 
useful, and the people and tools to do it are expensive. 
Palantir is just one example of how hard this problem is 
in general, but even just having the DISK SPACE to do it 
on is prohibitive.

2. Choosing what to instrument is extremely hard as well. 
There's some work being done on this:

3. Visualization is hard - security visualization often 
is great once you already have found something (i.e. "Here 
it is in a pretty graph"). If you haven't already found 
something, visualization is a hard thing to make "exploratory". 
Especially with lots of data.


So what you see is the start up of what I like to call the 
"Application SOC". It's like a network SOC, but way more 
expensive, and with the chance of being actually useful! :>

I'll go more into this whole thing when El Jefe goes into 
Beta, but for now, who has gotten caught by something like this?

- -dave

-Michael Coates